[CI] Add dependabot and govulncheck checks

[mohammedfirdouss]

What this PR does:
Adds automated dependency and vulnerability checks to CI by introducing Dependabot configuration and integrating govulncheck into the lint workflow.

This PR configures Dependabot to monitor Go and npm dependencies across key directories, and extends lint CI to run govulncheck for Go modules via matrix jobs. It also keeps a completion-job pattern for branch protection compatibility.

Why we need it:
Without continuous dependency and vulnerability checks, security updates can be delayed and known Go vulnerabilities may go unnoticed until later stages.

Which issue(s) this PR fixes:

Refs #6409

Does this PR introduce a user-facing change?:

• How are users affected by this change: No direct end-user UI/API behavior change. Contributors and maintainers get stronger CI safety checks and automated update visibility.
• Is this breaking change: No
• How to migrate (if breaking change): N/A

Validation:

• Verified Dependabot config structure and ecosystem coverage in .github/dependabot.yml.
• Verified govulncheck workflow wiring and matrix execution logic in .github/workflows/lint.yaml.
• Confirmed expected PR/push CI behavior for vulnerability scanning.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Ayushmore1214]

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

[mohammedfirdouss]

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

Hmm, I think this is a good idea.

[khanhtc1202]

LGTM, thanks 👍

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.96%. Comparing base (f8c446a) to head (f9b0930).
⚠️ Report is 44 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #6435       +/-   ##
===========================================
+ Coverage   29.47%   53.96%   +24.49%     
===========================================
  Files         584        7      -577     
  Lines       62474      315    -62159     
===========================================
- Hits        18414      170    -18244     
+ Misses      42636      129    -42507     
+ Partials     1424       16     -1408     

Flag	Coverage Δ
.	?
.-pkg-app-pipedv1-plugin-analysis	?
.-pkg-app-pipedv1-plugin-ecs	?
.-pkg-app-pipedv1-plugin-kubernetes	?
.-pkg-app-pipedv1-plugin-kubernetes_multicluster	?
.-pkg-app-pipedv1-plugin-scriptrun	54.83% <ø> (ø)
.-pkg-app-pipedv1-plugin-terraform	?
.-pkg-app-pipedv1-plugin-wait	?
.-pkg-app-pipedv1-plugin-waitapproval	52.71% <ø> (ø)
.-pkg-plugin-sdk	?
.-tool-actions-gh-release	?
.-tool-actions-plan-preview	?
.-tool-codegen-protoc-gen-auth	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mohammedfirdouss]

@khanhtc1202 Merge conflict has been resolved.

[khanhtc1202]

LGTM

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[Warashi]

@mohammedfirdouss
Thank you, this is nice!

But I have a concern.
If we merge this PR without resolving the govulncheck failures, the CI on the master branch will fail.
I want the master branch to pass the all CI checks, so I don't want to merge this PR as is.
On the other hand, I think it's resolving the failures within this PR seems difficult. Could you please open an issue to resolve them?
If you have time, please try to resolve them.

@khanhtc1202 please comment if you have another idea.

[mohammedfirdouss]

@mohammedfirdouss Thank you, this is nice!

But I have a concern. If we merge this PR without resolving the govulncheck failures, the CI on the master branch will fail. I want the master branch to pass the all CI checks, so I don't want to merge this PR as is. On the other hand, I think it's resolving the failures within this PR seems difficult. Could you please open an issue to resolve them? If you have time, please try to resolve them.

@khanhtc1202 please comment if you have another idea.

Hi @Warashi, thank you for catching this!

You're absolutely right. Let me investigate the govulncheck failures immediately.

My plan:

1. Run govulncheck locally to identify the specific vulnerabilities
2. Check if they're from this PR's changes or pre-existing dependencies
3. Either fix them directly in this PR (if straightforward) or create a tracking issue (if complex)
4. Re-test with full CI before requesting re-review

I'll have findings + plan by end of day and will either push fixes or create the tracking issue shortly.

@khanhtc1202 - thoughts on preferred approach?

[mohammedfirdouss]

Created tracking issue #6600. The govulncheck failures are pre-existing vulnerabilities, this PR correctly surfaces them. I'll work on fixing them in a separate PR so we can unblock this one without breaking master. The scan still runs and reports vulnerabilities, but won't block the PR from merging. Once the vulnerabilities are fixed (tracked in #6600), we can make it blocking again. Ready for re-review @Warashi @khanhtc1202

Also, i saw that i will have to update the Go version, so that would probably be a huge bump since it will affect other yml files like test etc. please check the tracking issue for more info

CI Run: https://github.com/pipe-cd/pipecd/actions/runs/23225979807

[Warashi]

@mohammedfirdouss
Thank you, that's a good approach. Could you please fix the build, test, and gen/code CI for this PR? Some of the errors may have resulted from updating the Go version, though I'm unsure if they are all related.

[mohammedfirdouss]

@mohammedfirdouss Thank you, that's a good approach. Could you please fix the build, test, and gen/code CI for this PR? Some of the errors may have resulted from updating the Go version, though I'm unsure if they are all related.

Sure no problem. I will look into this @Warashi

[khanhtc1202]

@mohammedfirdouss please resolve the conflict, so that we can process to merge this PR, thanks 👍